Personal Details of 120 Million Brazilians Exposed

Misconfigured databases with poor or absent access controls on both cloud and in-house servers is a known and common problem. Where these databases are exposed to the internet, anybody -- with or without cyber expertise -- can access the database and its content. While there is no 'hack' involved, such instances should still be called a breach since there is often no way of knowing whether the data contained has been accessed by malicious actors.

The potential severity of such breaches can only be measured by the quantity and quality (in terms of malicious potency) of the data contained.

In March 2018, researchers at InfoArmor discovered (PDF) an exposed database that contained extensive personal data for 120 million Brazilians. This comprised a unique identity number (the Cadastro de Pessoas FÌsicas, or CPF) that is issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying resident aliens.

To put this in perspective, the total population of Brazil last year stood at 210 million, with an electorate of just over 147 million.

The exposure was via an unprotected back-up index file named 'index.html_bkp'. InfoArmor regularly scans the internet for problem servers using its own AI-enhanced process. "With the mad rush to share tenant cloud services, we are seeing a tremendous amount of leaked data that is potentially 10 times greater than actual threat actor activity," commented Christian Lees, chief intelligence officer at InfoArmor.

Lees told SecurityWeek that the inclusion of 'bkp' in the file name likely produced a major red flag to his company's scanning process. Had the index not been renamed, or if access had been controlled through proper htaccess configuration, there would have been no problem.

While InfoArmor observed the server over the next few days, the researchers noted that an 82 Gb file was replaced by a raw SQL file. This suggested that the data was live and being worked on. However, the new file host had a different IP address than the previous one -- which added confusion over who really 'owned' the data.

From April onward, the researchers attempted to locate the owner to report the flaw. They wrote to an email address registered to one of the hosts of the SQL, but it bounced. "For weeks, InfoArmor attempted to notify the owners. The team watched the open directory, and saw the files grow larger and smaller, as if users were just working with them in the open."

After several more weeks the flaw was fixed. The earlier misconfiguration was reconfigured as a functional website with an authenticated alibabaconsultas(.)com domain and authenticated login. Although this doesn't confirm that alibabaconsultas(.)com was responsible for the leak, it does look as if they were at least involved if only in a hosting-as-a-service function.

InfoArmor warns "it is very likely sophisticated adversaries harvested this information. It took over a year for data stolen from Yahoo to appear for sale on the dark web, and data as unique as what was available in Brazil's CPF server is likely to be traded among the most closed off and exotic data troves of the dark web."

But there are two other issues that are worth considering. 2018 has been the year in which GDPR came into force, and the year in which the extent of worldwide attempted election manipulation has come to the fore. 2018 was also an election year in Brazil. A last-minute surge in the polls by a far-right former army captain almost won an outright majority for Jair Bolsonaro. Bolsonaro won the run-off vote on October 28, 2018. There is no suggestion that this election was manipulated, but it is noticeable that the exposed data includes 'voting registration numbers'.

GDPR may also be relevant to this breach. One of the GDPR unknowns is the extent to which EU regulators will press the jurisdictional aspects of the law. It applies to EU citizens and residents. Just as an example, there are many Brazilian footballers, who retain Brazilian nationality resident and work in Europe. Technically speaking, this breach could well be considered subject to GDPR if the personal details of any of these footballers was compromised.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.